Your CEO Just Called (or Did They?): Deepfake Usage in Social Engineering

The Alarming Reality of Voice and Video Impersonation Attacks

In an increasingly digital world, the lines between what’s real and what’s fake are blurring at an alarming rate. One striking example is deepfake scams—a sophisticated form of artificial intelligence that can create highly convincing artificial media. Initially, these tools entertained us with celebrity cameos and viral memes. However, deepfakes have rapidly evolved into a potent weapon in the tool belt of cybercriminals, particularly in the realm of social engineering.

As a result, the time of merely checking an email address or hovering over a link is over. Today, a perpetrator might not just claim to be your CEO—they might sound exactly like them, or even appear on a video call, giving seemingly legitimate instructions. Therefore, understanding this evolving threat is crucial for both individuals and organizations.

What is Deepfake?

At its core, a deepfake is synthetic media—typically video, audio, or images—manipulated or generated by artificial intelligence, specifically deep learning algorithms. These algorithms, trained on vast datasets of real media, learn to mimic the legitimate patterns of human speech, facial expressions, and body language. Consequently, the result is content that can be nearly indistinguishable from authentic media to the average person.

While the term “deepfake” often conjures images of malicious intent, the underlying technology has several legitimate and even beneficial applications, such as film and television reproduction, historical preservation, and training. Unfortunately, the same power that enables creative expression can also be wielded for nefarious purposes. In fact, threat actors are rapidly integrating deepfakes into their social engineering tactics, leveraging the technology to enhance the credibility of their scams and bypass traditional security measures. Ultimately, the goal remains the same: to manipulate individuals into providing sensitive information, transferring funds, or granting unauthorized access.

How are Threat Actors using Deepfake for Social Engineering?

Currently, the most common deepfake application is voice impersonation through vishing. This is one of the most immediate and dangerous uses. For instance, imagine receiving a phone call from a senior executive demanding an urgent wire transfer or access to a critical system. With deepfake audio, the voice on the other end may be nearly identical to the person they claim to be, bypassing voice recognition security and preying on urgency and authority.

Moreover, threat actors are now using video impersonation to take vishing to the next level. In highly targeted Business Email Compromise (BEC) scams, attackers might use deepfake video to conduct a “video conference” with a victim, impersonating a CEO, CFO, or critical client. This adds an unparalleled layer of legitimacy, making it incredibly difficult for the victim to discern the fraud.

A chilling example of this evolving landscape is the North Korean state-sponsored threat group BlueNoroff (also known as APT38 or Lazarus Group’s financial arm). Although their primary focus has historically been cryptocurrency theft and financial fraud, recent reports indicate their experimentation with advanced social engineering techniques that incorporate deepfake elements.

In addition, deepfakes have significant implications for politics. They can be used to spread false narratives, manipulate public opinion, or damage reputations—ultimately creating societal and political instability.

How to Identify a Deepfake

• Unnatural Blinking: Deepfake subjects often blink irregularly or not at all. 

• Inconsistent Lighting or Shadows: The lighting on the person’s face might not match the background, or shadows might fall in unnatural ways. 

• Pixelation or Blurriness Around Edges: Especially around the face or hair, artifacts might be visible. 

• Unusual Eye Movements or Lack of Emotion: Eyes might dart unnaturally, or the person might exhibit a strange lack of genuine emotion despite the context. 

• Audio Anomalies: 

• Monotone or Robotic Sound: While improving, some deepfake voices can still sound flat or lack natural intonation. 

• Background Noise Discrepancies: Background noise might be inconsistent or completely absent, even in a seemingly busy environment. 

• Lip Sync Issues: The lips might not perfectly match the spoken words. 

• Unusual Phrasing or Pauses: While sophisticated models can mimic speech patterns, slight, unnatural pauses or odd phrasing might occur. 

• Source Credibility: Always question the source. Is it coming from an unexpected channel or a new contact? 

• Unusual Requests: Any urgent request for money, sensitive information, or immediate action, especially if it deviates from established protocols, should raise a red flag. 

How to Defend Against Deepfake Scams

Defending against deepfake requires a multi-layered approach that combines technology, policy, and human awareness: 

1. Verify, Verify, Verify: 
   • Out-of-Band Verification: If you receive an urgent request from a senior executive, always verify it through a separate and trusted communication channel. Call them back on a known, pre-approved phone number (not one provided in the suspicious communication), or send an email to their official, confirmed email address. 
   • Challenge Questions: Establish and use pre-arranged challenge questions with high-level executives for sensitive requests. 
   • Two-Factor/Multi-Factor Authentication (MFA): Implement MFA on all critical accounts to provide an extra layer of security, even if credentials are compromised. 

2. Robust Employee Training and Awareness: 
   • Regular Security Awareness Training: Educate employees about evolving threats, specifically highlighting deepfakes and advanced social engineering tactics. 
   • Simulated Attacks: Conduct simulated phishing, vishing, and even deepfake attacks to test employee resilience and identify weak points.
   • Focus on Critical Thinking: Train employees to question unusual requests, especially those creating urgency or fear. 

3. Implement Strong Policies and Procedures: 
   • Clear Financial Transaction Protocols: Establish strict, multi-step verification processes for all financial transfers, especially large ones. This should always involve multiple approvals and out-of-band confirmation. 
   • Incident Response Plan: Have a clear plan in place for reporting and responding to suspected deepfake or social engineering incidents.
   • Communication Protocols: Define clear internal communication protocols for urgent requests from leadership. 

The Deepfake Era Demands a Culture of Cyber Vigilance

The rise of deepfakes marks a significant escalation in the cyberthreat landscape. The ability to convincingly impersonate individuals at the highest levels of an organization presents a dangerous challenge to traditional security measures. 

Organizations and individuals must adapt quickly. This isn’t just about technical defenses; it’s about building a culture of healthy skepticism and thorough verification. The reason being that the human element often remains the weakest link in the security chain. By empowering your workforce with knowledge and robust verification protocols, you can build a strong defense against the increasingly sophisticated deceptions of the deepfake era. Don’t let a convincing voice and/or face trick you; verify before you act. 

Want to learn more about how you can defend your organization against Deepfake Scams? Speak with a Security Consultant today.